M2Crypto 的 set_client_CA_list_from_file() 和 load_verify_info() 之间有什么区别以及何时使用它们?
M2Crypto 库 在其 SSL.Context 对象,但文档非常不清楚您何时会使用某些功能以及原因。事实上,几乎所有这些的文档都是“将 CA 证书加载到上下文中”,因此它们似乎都做了相同的事情。
有几个同时使用 set_client_CA_list_from_file() 和 的示例>load_verify_info(),但还有其他类似的函数,例如 load_client_ca() 和 load_verify_locations()。
我正在编写客户端和服务器部分。我应该使用哪些功能以及为什么?他们具体是做什么的?
编辑:
查看代码我发现:
# Deprecated.
load_client_CA = load_client_ca = set_client_CA_list_from_file
所以
# Deprecated.
load_verify_info = load_verify_locations
这有一点帮助。这让我们只剩下两个函数:set_client_CA_list_from_file() 和 load_verify_locations()。但我仍然不能完全区分两者之间的区别。
The M2Crypto library has a few CA-related functions on its SSL.Context object, but the documentation is very unclear as to when you would use certain functions and why. In fact, the docs for almost all of them are, "Load CA certs into the context," so it seems possible that they all do the same thing.
There are several examples that use both set_client_CA_list_from_file() and load_verify_info(), but there are also other similar functions like load_client_ca() and load_verify_locations().
I am writing both client and server pieces. What functions should I use and why? What specifically do they do?
Edit:
Looking through the code I see:
# Deprecated.
load_client_CA = load_client_ca = set_client_CA_list_from_file
and
# Deprecated.
load_verify_info = load_verify_locations
So that helps a little. This brings us down to two functions: set_client_CA_list_from_file() and load_verify_locations(). But I still can't quite tell the difference between the two.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您的服务器要求客户端提供证书,它可以通过调用 set_client_CA_list_from_file。这实际上是非常罕见的。
客户端通过调用 load_verify_locations。几乎所有客户都应该这样做。
客户端和服务器都可以调用 load_cert 设置自己的证书。服务器几乎总是应该这样做。仅当服务器要求客户端提供证书时,客户端才应该执行此操作。
我建议您选择 John Viega、Matt Messier 和 Pravir Chandra 所著的 Network Security with OpenSSL,ISBN 059600270X,它应该更详细地阐明这些问题。
If your server requires the client to present a certificate, it can restrict who are the valid issuers of the client certificates by specifying the issuers calling set_client_CA_list_from_file. This is actually pretty rare.
The client specifies who are the valid server certificate issuers by calling load_verify_locations. Almost all clients should do this.
Both client and server can call load_cert to set their own certificate. Servers should almost always do this. Clients should probably do this only if the server requires the client to present a certificate.
I recommend you pick a copy of Network Security with OpenSSL by John Viega, Matt Messier and Pravir Chandra, ISBN 059600270X, which should clarify these issues in more detail.